Hi, I've enabled IMA , policy that are enabled, checked only binary file and module. The problem is that the booting of systemd is not predictable, so after each boot the PCR 10 is different. Then I'm unable to use tpm_unsealdata at PCR 10 . I would like to have your opinion on that. What is the point of PCR 10 if it's not the same at a certain moment on the linux boot. I wanted to use PCR 10 to protect a key based on the hash of each binary in my linux SD. looks like this is not the correct way, I've an idea to fix it : sort -k 5 /sys/kernel/security/ima/ascii_runtime_measurements > somefile.txt sha1sum somefile.txt with this somefile.txt contain a hash that is always the same after each boot
